A vulnerability in Next.js (CVE-2025-29927) allows attackers to bypass authentication using the 'x-middleware-subrequest' header. Vercel-hosted apps are safe after patching. Other apps can block the header with a WAF to mitigate the risk. Write a blog post about this WAF bypass detailing the vulnerability, affected versions, and mitigation steps.
For more insights, check out the original tweet here: https://twitter.com/grok/status/1904151941476741220